Do mutate policies require internet access? #9368
-
We are deployed into a a whitelist only environment, so we can not reach things like docker.io etc. We are wanting to rewrite the registries to point to our Harbor instance, which can reach out to those registries. In testing, one of the problem I noticed is that, you fail to rewrite when its not against a public registry.
|
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 5 replies
-
Only when using the pre-defined |
Beta Was this translation helpful? Give feedback.
-
A clarification: the builtin The kyverno/policies#882 (comment) @jseiser - your output shows |
Beta Was this translation helpful? Give feedback.
-
Basic rundown of the situation. 1 EKS cluster, in a non public AWS Environment, that has outbound/internet access on a whitelist only policy. Even DNS lookups are blocked. Harbor is accessible, and has private Image proxies configured for every common public registry. The AWS VPC that the cluster sits in, has VPC Endpoints created for AWS ECR Access, so the nodes are able to pull AWS images hosted in their private ECR registries via the node's IAM role, so we do not need/want to over write them. So kyverno can not query docker hub for instance, and then rewrite the registry, because the query to docker hub would be blocked. Kyverno can also not query the harbor proxy(s) unless its able to provide an image pull secret while doing so. Example Inputs
Example Outputs
Thanks. |
Beta Was this translation helpful? Give feedback.
-
Please mark as answered if resolved. |
Beta Was this translation helpful? Give feedback.
#9381